The following are two sets of traces that show first, DHCP failing and then DNS queries failing. You can tell this from the repeated DHCP and DNS requests. Ordinarily this wouldn't be very interesting except that you can see the DHCP server offer an address and the name server respond with an address. OK, you say there is a problem that prevents the responses from getting to the client. Well yes, but the traces were taken with Etherpeek on the client so the responses are getting to through.
The problem was that the client system (Windows XP home) had a personal firewall installed that blocked all incomming UDP packets destined to one of the svchost.exe processes. The user didn't recongize that the DHCP and DNS requests would go to the svchost process so he blocked all traffic to them. Luckly, he didn't block outgoing traffic from the process or we would never have see the queries in the first place.
Packet Source Destination Delta Time Protocol Summary 1 0.0.0.0 IP Broadcast DHCP C DISCOVER 10.111.183.75 armada 2 10.111.183.1 IP Broadcast 00.020057 DHCP R OFFER 10.111.183.75 3 0.0.0.0 IP Broadcast 03.984161 DHCP C DISCOVER 10.111.183.75 armada 4 0.0.0.0 IP Broadcast 08.001517 DHCP C DISCOVER 10.111.183.75 armada 5 10.111.183.1 IP Broadcast 00.017475 DHCP R OFFER 10.111.183.75 6 0.0.0.0 IP Broadcast 14.993391 DHCP C DISCOVER 10.111.183.75 armada 7 10.111.183.1 IP Broadcast 00.018899 DHCP R OFFER 10.111.183.75After changing the firewall to allow UDP packets from port 68 we can use DHCP to get an address.
Packet Source Destination Delta Time Protocol Summary 1 0.0.0.0 IP Broadcast DHCP C DISCOVER 10.111.183.75 armada 2 10.111.183.1 IP Broadcast 00.035034 DHCP R OFFER 10.111.183.75 3 0.0.0.0 IP Broadcast 02.967518 DHCP C DISCOVER 10.111.183.75 armada 4 10.111.183.1 IP Broadcast 00.015339 DHCP R OFFER 10.111.183.75 5 0.0.0.0 IP Broadcast 01.206816 DHCP C REQUEST 10.111.183.75 armada 6 10.111.183.1 IP Broadcast 00.015400 DHCP R ACKAnd now have the same problem with DNS on port 53.
Packet Source Destination Delta Time Protocol Summary 1 10.111.183.75 10.110.96.5 DNS C QUERY NAME=www.cnn.com 2 10.110.96.5 10.111.183.75 00.017760 DNS R QUERY STATUS=OK NAME=www.cnn.com 3 10.111.183.75 10.110.96.5 00.982493 DNS C QUERY NAME=www.cnn.com 4 10.110.96.5 10.111.183.75 00.017610 DNS R QUERY STATUS=OK NAME=www.cnn.com 5 10.111.183.75 10.110.96.5 00.983689 DNS C QUERY NAME=www.cnn.com 6 10.110.96.5 10.111.183.75 00.021240 DNS R QUERY STATUS=OK NAME=www.cnn.com 7 10.111.183.75 10.110.96.2 01.981631 DNS C QUERY NAME=www.cnn.com 8 10.111.183.75 10.110.96.5 00.000173 DNS C QUERY NAME=www.cnn.com 9 10.110.96.2 10.111.183.75 00.017870 DNS R QUERY STATUS=OK NAME=www.cnn.comAfter changing the firewall to allow UDP packets from port 53 we can get DNS responses
Packet Source Destination Delta Time Protocol Summary 1 10.111.183.75 10.110.96.5 DNS C QUERY NAME=www.cnn.com 2 10.110.96.5 10.111.183.75 00.017598 DNS R QUERY STATUS=OK NAME=www.cnn.comNote that while in this case the user had a personal firewall the same thing (and same traces) can happen Under MS Windows 2000/XP/2003 if the user uses the TCP/IP filtering setting on the options tab of the Advanced TCP/IP setting dialog box to filter all UDP traffic.